> Adding H.P.S. to HelenOS introduces a new security mechanism, distinct from
> the one already provided naturally via HelenOS IPC. We should try to devise
> a IPC-based (i.e. capability-style) privilege control mechanism and compare
> both approaches.
I disagree with this interpretation. Capabilities in principle don't mandate how
privileges are managed. I.e. even with capabilities, it's still
necessary to invent
a way to describe which task is supposed to have which capabilities. Fully
implicit system (privileges only being represented by code working with
capabilities) is a possibility, but it would risk devolving into a chaotic mess
that's incomprehensible to a human user.
In this sense, H.P.S. used as a complementary mechanism for naming privileges
on top of capabilities seems like a reasonable thing to try in my opinion.
> Complex privilege sets
> ----------------------
> It is possible to define the complex privilege set as the closure of simple
> privilege sets over set operations. It is possible to represent a complex
> privilege set as a prefix tree where [...]
I was working on something similar in the context of file systems,
and a tree representation is quite hard to reason about, in my experience.
What I would suggest in this case is a sorted list of positive and negative
rules (if not in actual implementation, then at least in specification),
like you can see in firewall rules, e.g.:
allow fs:/a/b/c/d
deny fs:/a/b/c
allow fs:/a/b
deny *
This particular rule set would permit access to '/a/b/c/d', but not to '/a/b/c'
or anything else in it except 'd', and it would also allow access to anything
in '/a/b' except for permissions in '/a/b/c'.
But note that in any representation of the complex system, granting '/a/b/c'
cannot implicitly grant '/a/b/c/*', since the parent granting that
permission may
not have access to the nested permissions. This would make the system
much less hierarchical.
On 25 September 2017 at 13:03, Jiri Svoboda <[email protected]> wrote:
> Hi,
>
> we've had some interesting discussion around my proposal for a privilege
> system on the way back from the meeting, regarding using capabilities. I
> thought it would be good idea to capture my current idea for a privilege
> system as it stands, in writing. Please find it attached.
>
> This should help put the discussions on a more solid ground. I tried to
> describe the system in such a way that it can be tested (without an actual
> implementation) and compared to another approach. Next I would like to look
> into the Genode book introduction, as suggested by Jakub, try to come up
> with an alternate, capability-based approach and then try to compare
> different approaches.
>
> Any feedback is highly appreciated.
>
> Best regards,
> Jiri
>
> _______________________________________________
> HelenOS-devel mailing list
> [email protected]
> http://lists.modry.cz/listinfo/helenos-devel
>
_______________________________________________
HelenOS-devel mailing list
[email protected]
http://lists.modry.cz/listinfo/helenos-devel
